Flame Trojan Ignites Cyberwar Chatter

Security experts are in a clamor regarding the discovery of a highly sophisticated Trojan that is quickly spreading through several Middle Eastern nations.

The virus, dubbed "Flame", is being widely compared to the infamous Stuxnet and Duqu infections, and has been detected in high concentrations in Iran, and to a lesser extent in Israel, Palestine, Sudan and Syria.

According to Kaspersky Labs:

"…We’ve found what might be the most sophisticated cyber weapon yet unleashed. The ‘Flame’ cyber espionage worm came to the attention of our experts at Kaspersky Lab after the UN’s International Telecommunication Union came to us for help in finding an unknown piece of malware which was deleting sensitive information across the Middle East. While searching for that code – nicknamed Wiper – we discovered a new malware codenamed Worm.Win32.Flame."

"Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different, the geography and careful targeting of attacks coupled with the usage of specific software vulnerabilities seems to put it alongside those familiar ‘super-weapons’ currently deployed in the Middle East by unknown perpetrators. Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage."

"…Flame is one of the most complex threats ever discovered."

Stuxnet was a highly sophisticated designer-virus that infected systems which provided operations control for Iranian production networks, and leading theories indicated that the malware was probably specifically produced to stifle Iran's nuclear weapons ambitions.

The Stuxnet virus attacks, which targeted Siemens Programmable Logic Controllers (PLCs), are thought to have caused severe damage to Iranian uranium enrichment facilities and reportedly set back the nation's nuclear program by as much as several years.

In February Reuters reported that both US and European officials believed Iran had successfully eradicated the Stuxnet virus from systems critical to the nation's nuclear weapons development programs.

The modular nature of the Stuxnet's design could mean that variations of the virus tailored to target other critical components of control systems could already be in development, as exemplified by the Duqu virus which displayed many similarities to Stuxnet, though it was not designed to deliver a payload.

Flame appears to have a similar design, according to analysis:

"Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master…"

"Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers."

"Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated."

Like Duqu, Flame appears to be designed as an intelligence gathering tool rather than a method of payload delivery like Stuxnet:

"Flame appears to be much, much more widespread than Duqu, with probably thousands of victims worldwide. The targets are also of a much wider scope, including academia, private companies, specific individuals and so on."

"According to our observations, the operators of Flame…infect several dozen, then conduct analysis of the data of the victim, uninstall Flame from the systems that aren’t interesting, leaving the most important ones in place. After which they start a new series of infections."

Though the origin of the Flame infection has not been determined, Bogie Yaalon, a senior Israeli Minister, has all but confirmed that the Israeli government is the author, according to a statement posted in the Galey Tzahal :

"Anyone who believes that the Iranian threat is meaningful would find it desirable to take effective means, including these, to sabotage it. Israel is blessed with being a country that has tremendous technological capabilities. These tools open all sorts of possibilities for us."

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.